Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
Important issues about GDPR that have to be examined, the Commission communication ex Article 97.

Important issues about GDPR that have to be examined, the Commission communication ex Article 97.

The Article 97 is one of the disposal less mentioned in the European Regulation 679/2016 and it has a particular relevance in the in so far as it formalises an important principle (reaffirmed by the article 98 for the other legislative acts of the Union about personal data protection), even if it is granted: the Regulation is not like the Tablet of the Laws by Moses and during the time it could be changed.

The examination of the Commision, based on paragraph 2 of the disposal, concerns in particular the application and the operation of the legislation of the Chapter V (data transfer out of EU). Anyway it is clear that the assessment can be intended/aimed at the whole legislative framework, like it is demonstrated by the text included in paragraph 2 (“…in particular,…”) and indirectly, paragraph 5 (“… The Commission presents appropriate changes to this Regulation, by keeping in mind, (…), of the development of information technologies and progress in the information society”).

The timing assigned by the standard betrays the rigid planner’s mentality. If the first report was expected by 25 May 2020, the next ones will be every four years. In relation to the complicated EU legislative mechanism and as it is also functional to possible changes to the Regulation, the timing of the evaluation and review may seem adequate, almost pressing, but can it be said the same if we consider the speed with which the world evolves and changes?

The June 2020 Communication – With a document dated 24 June 2020, the Commission formalised its Communication to the European Parliament and the Council, with the title “Data protection as a pillar of citizens’ autonomy and the EU’s approach to the digital transition: two years of application of the General Data Protection Regulation”.

The report highlights the difficulties encountered so far and envisages possible solutions, but does not draw definitive conclusions: it is as if the Regulation’s rules were (and remain) a huge open construction site, which is confirmed by everything that has happened and continues to happen below its level. The reference is not only to the legislative interventions of the States in the permitted spaces, but also to the outpouring of guidelines (Committee) and measures (control authorities).

For the Commission, the balance (or the budget, albeit provisional) is in any case on the right side: ‘in the general opinion, two years after the start of its application, the General Data Protection Regulation has successfully achieved its objectives of strengthening the protection of individuals’ right to the protection of personal data and ensuring the free movement of personal data within the EU’.

At a certain point, the reflection turns to SMEs, their difficulties in adapting, the support initiatives taken by some supervisory authorities (p. 10-11), with a call to consider further initiatives to facilitate the application of the Regulation. And yet, while it is true that “according to the risk-based approach, it would not be appropriate to provide for derogations based on the size of the operators, since their size does not in itself constitute an indication of the risks that the processing of personal data they undertake may entail for individuals”, it cannot be accepted either that the difficulty in applying the Regulation does not increase as the size and complexity of the organisations increases.

What we want to say, in a nutshell, is that simplification – or rather, simplicity (apart from the semantic diversity, the term ‘simplification’ regularly gives rise to concern rather than relief, because experience gives us interventions that are concretely non-resolutive and in any case unsuitable for achieving the objective they claimed to pursue)! – is or would be sacrosanct. For everyone.

The Commission’s considerations on the provisions and especially on the instruments for implementing the provisions of Chapter V are of particular interest. Considerations that betray a presentiment (see p. 13) that will later prove to be well-founded, in the light of the judgment of 16 July 2020 by which the CJEU has invalidated the ‘Privacy Shield’ and dictated real guidelines for the use of standard clauses. Moreover, there are those who do not see, in this second ruling (after the one of 2015 on the ‘Safe Harbour’), a sort of further ‘political’ defeat of the Commission’s work by the Court of Justice.

In any case, according to the Communication, the Commission’s commitment to facilitate the transfer of non-EU data is along the following lines:

– a ‘comprehensive modernisation’ of standard clauses, ‘in order to update them in the light of the general data protection regulation, so as to deal with all relevant transfer scenarios and better reflect modern business practices’, taking into account that ‘these clauses represent by far the most widespread data transfer mechanism, with thousands of European companies relying on them to provide a wide range of services to their clients, suppliers, partners and employees’;

– a review of the adequacy decisions in force today, all of which date back variously – with the exception of Japan, which came into force in February 2019;

– a substantial relaunch of the instrument of the adequacy decision (art. 45), taking into account the fact that it offers the greatest possible simplification to the data exporter – “the effect of this decision is to allow the free and secure movement of personal data to the third country in question without the data exporter having to provide further guarantees or obtain any authorisation” – which involves the United Kingdom (the current transitional period of application of EU law expires on 31 December 2020), the Republic of Korea (the related adequacy process being at an advanced stage) and, with somewhat less imminent results, several countries in Asia and Latin America.

Also related to Chapter V is the call to the European Data Protection Board, in particular, to clarify “the interaction between the rules on international data transfers (Chapter V) and the territorial scope (Article 3) of the General Data Protection Regulation”.

Nor should further exhortations to the Committee in the sense of ‘ensuring effective enforcement vis-à-vis operators established in third countries falling within the territorial scope of the General Data Protection Regulation, including the appointment of a representative, where appropriate (Article 27)’, ‘optimising the assessment and possible approval of binding corporate rules in order to accelerate the process’, ‘completing work on the architecture, procedures and evaluation criteria for codes of conduct and certification mechanisms as instruments for data transfers’.

A few stones in the pond – I am not going to change the rest of the content of the Communication (which includes concerns about the level of fragmentation due to the legislative interventions of the States, which are being evaluated – see p. 17 -, significant exhortations to Member States to implement and integrate the legal framework, as well as to the Committee and the various supervisory authorities to contribute to uniform application, clarification of legal provisions, review of guidelines in the light of experience and case law of the CJEU, development of practical tools to address, in particular, “low-risk SMEs”), completed the examination of this document we have asked ourselves and we ask ourselves, really without prejudice or polemical intent: is that all?

We realise that it is pretentious to even speculate, a little more than 4 years after its entry into force (…), about a borderless institutional reflection on Regulation 679/2016, considering that the attitude that recurs is markedly Eurocentric and ironclad is the idea that its text contains the best data protection discipline in the world.

But is this really the case? Even if this is likely to be the case, should this exclude a priori certain thorny aspects of the Regulation’s provisions, which the experience of more than two years of application has already highlighted?
In the awareness of the relativity of each point of view, we line up a few – for the moment only a few – issues considered of particular importance, some of which have already surfaced, here and there, in the comparison between interpreters/experts:

1) the contrast between the principle of atypicality of the measures codified by art. 32 – for which it is the owner who is responsible for identifying and adopting the “appropriate measures” – and the provisions of the Regulation that typify certain obligations/measures, in particular those that require, upon the occurrence of certain conditions or the existence of certain conditions, the keeping of a data processing register (art. 30), the assessment of impact on data protection (art. 35), the designation of a DPO/DPO (art. 37);

2) (exacerbates the contrast) the very nature of the above mentioned provisions, whose formulations are sometimes not at all clear, exact, so that – in addition to the industrial production of guidelines and guidelines, tools that are regularly valuable but insufficient (they cannot recover from the provisions the quality they do not have) -, difficulties of an interpretative/applicative nature are generated that may mislead the holder, for example: to prefer, albeit reluctantly (…), a performance that may not be due, rather than facing the risk of sanctions; or, worse, to carry out an assessment (of non-recurrence of the obligation) that will then be judged wrong and followed by sanction. The concept of “large scale” is an example of a certain generic/vagueness, which no one (with the peace of mind of the effort made, for example, by the Art. 29 Group, in the Guidelines on Data Protection Officers – Rev. 01 of 5 April 2017) can ever translate into a precise, unequivocal indication (generic or unclear, which ends up, among other things, by pouring an abnormal discretion on the supervisory authorities, certainly warned by them). Another critical passage cannot fail to be found in the formulation of paragraph 5 of Art. 30 – where the field of (non) application of the obligation to keep the register is regulated – on which opposing interpretative hypotheses are confronted, with equal results;

3) the provision of administrative sanctions ‘up to a maximum of’, with the related indeterminacy. Penalties that are potentially even very high, capable of wiping out an organisation’s activities, such as to put the control authorities themselves in difficulty when they are called upon to apply them, because of the superlative burden of responsibility that they are called upon to assume on their own shoulders. Nor is it enough: it is necessary to consider their particular afflictiveness, which ends up bringing them ontologically closer to criminal sanctions, in a relationship of very close kinship that poses a problem with the other side of sanctioning legislation, which is also formally criminal and additional legislation issued to individual States;

4) the provision of administrative sanctions even in the event of ‘formal’ non-compliance, i.e., the impossibility of generating consequences or prejudice to the rights and freedoms of individuals (classic example: the failure to draw up and keep a register of treatments). From this point of view, the reflection could (the conditional means that one more would be more, but the less would be enough) take off towards a much more ambitious goal: the different (perhaps superior?) philosophy of a regulatory system that would remove administrative sanctions from itself, in order to focus attention on strengthening compensation profiles and procedures – in terms of effective and timely compensation of damages to those whose rights/freedom have been violated or trampled upon in practice.

Ultimately, it would be desirable to see at least the principle of ‘no sanction/without injury’, which could help to conceive the adjustment and accountability of the owner not as an escape route from the sanction risk, but as an opportunity for cultural growth and development of the organisation’s relations with its stakeholders. SOURCE: FEDERPRIVACY

Recommended to you

Advanced Research